The problem with this is that it is still comparing fields and their respective values. The value(s) of 'field_value' can be any combination of field=value and would be dynamic, therefore defining a new field_value using eval wouldn't be efficient as I'd have to account for every possible field=value combination. I think the optimal situation here is to be able to "break out" 'field_value' and insert it into the search string. I would imagine a token + subsearch would work but I can't find a way to use a token inline in a search.

No. It would be dynamic and could be any combination of field=values.

I may have a workaround if the condition is always in format "field1=value1 AND field2=value2....". Is that the case (all conditions are conjoined by 'AND')?

The condition can be in any combination of field=value so just "field1=value1" or "field1=value1 AND field2=value2 OR field3=value3"... The fields and values would exist independently in the base search, but not the new field containing the field=value pairs/combinations. That's why I'm trying to find a way to change the field=value pairs/combinations from a field value into a search condition/string. Thanks for your attention, any ideas are welcome.

The field which contains the search condition is available in the raw data of base search(es) itself?

Nope, the new field which I am populating with the dynamic field=value combinations doesn't exist in the raw data. The individual fields & values would exist which is why I need to insert them into the search query. I don't think that would matter anyway as I'm not trying to match field values, I'm trying to insert field=values combinations into search string.

How are you populating the field which contains the search condition?
It wouldn't have helped if it was part of raw data, but if you're using a lookup OR something get that, there might be a way.

Gotcha. I am using a lookup. The field_value will be dynamically populated with various field=value combinations.

Would you mind providing your search, which includes the lookup command?

I have a search that doesn't work. Open to ideas...

some_events some_sourcetype NOT [|inputlookup some_lookup.csv]

I received an email alert for another comment here but it isn't showing up. Here it is quoted;

"Try something like this

some_events some_sourcetype NOT [|inputlookup some_lookup.csv | eval search=field_that_contains_conditions | table search ]"

I believe this is just renaming my field in the lookup table to 'search' not actually creating search conditions from the field value. I couldn't find an eval function called "search".

Try something like this

some_events some_sourcetype NOT [|inputlookup some_lookup.csv | eval search=field_that_contains_conditions | table search ]